On-chain "reconciliation": How GMX uses a 10% bounty to "persuade" hackers to return a huge sum of money?

Written by: Luke, Mars Finance

In the world of cryptocurrency, the two most expensive letters might just be "OK".

When an address successfully "withdrew" assets worth 42 million dollars from the GMX protocol, upon receiving a "reassurance letter" sent by the project team on-chain, this mysterious hacker did not elaborate or show off their skills, but calmly responded with two letters in a single transaction: "ok". Subsequently, most of the funds were returned along the original route.

This sentence "ok" ended a textbook-level DeFi attack and also raised countless questions: How did the cooked duck fly back? What is this successful "scientist" really thinking? Is it a sudden pang of conscience, or is there something else behind it?

This is not a simple story of "there's honor among thieves." It resembles a western showdown taking place in a digital wasteland, except the weapons used by both sides are code, game theory, and precise calculations of human greed and fear. To understand why the hacker refunded the money, we must first return to the thrilling scene of the attack and see how this "expert" executed this wave of "shenanigans."

"Blitzkrieg": a precise surgical strike

Before the attack occurred, GMX was the brightest star in the Arbitrum ecosystem, boasting a total locked value (TVL) of over $450 million and a massive user base, making it the "happy home" for countless traders. With great prominence comes great attention, and it naturally became a "mobile vault" in the eyes of top predators.

On July 9, the hacker made his move. He did not choose brute force cracking; instead, like an experienced surgeon, he found a deeply hidden "lesion" in the GMX V1 code. At the core of this attack was the dreaded "reentrancy vulnerability" that insiders talk about with fear, but the method had been upgraded. This expert did not charge in mindlessly; instead, he perfectly combined the reentrancy attack with another logical flaw in the GMX protocol when calculating the total value of assets under management (AUM), putting on a remarkable performance of "using four taels to move a thousand pounds."

In simple terms, he is like a gambler who can simultaneously play the roles of "referee" and "athlete." At the moment of opening a position, he exploited a loophole to influence the calculation of the overall price, creating an extremely favorable price out of thin air for himself, and then immediately closed the position to redeem, making off with the money. The entire process was seamless and fluid, showing that his understanding of the underlying code of GMX has long surpassed that of the majority.

The actions taken after the successful theft further exposed his "professionalism." First, the funds were "washed" through Tornado Cash to conceal their traces, and then a key move occurred: he quickly exchanged the stolen large amount of USDC stablecoins for decentralized DAI. This action seemed superfluous but was a textbook-level hedging operation, laying the most important groundwork for his later "compromise."

The market reaction was terrifyingly real. The price of GMX tokens plummeted in a "waterfall" effect, dropping nearly 28% within a few hours, and the community was filled with wails of despair. The project team urgently "pulled the plug" and suspended related functions to prevent the treasury from being further emptied.

On-chain shout: A "cyber bounty" mixed with threats and inducements.

In the face of the crisis, the GMX project team did not choose to report to the police but instead did something very "Crypto"—they called out on-chain. They sent a transaction directly to the hacker's address, with a carefully worded "persuasion letter" in the memo:

"Brother, we have experienced your skills. Now here’s an opportunity for you: keep 10% (about 5 million dollars) as a 'white hat bounty' and return the remaining 90% within 48 hours. We will consider this matter settled and will not pursue any further action. I hope you make an ethical choice."

This set of "carrot and stick" tactics can be regarded as the standard public relations process after a theft in the DeFi world. The carrot is a huge bounty sufficient to grant anyone financial freedom, while the stick is the legal threat hidden behind the promise of "no pursuit." The 48-hour countdown further applies tremendous psychological pressure on the hacker, leaving him with insufficient time to launder the money at a leisurely pace.

In response to this "ultimatum," the hacker's reply is nothing short of brilliant. No excuses, no mockery, just a simple "ok." Concise yet full of attitude, as if to say: "Got it, let's follow the process."

The Hacker's Calculation: Why Spit Out the "Fat Meat" That Is Within Reach?

Did the hacker really feel moved by these words and decide to become a Buddha on the spot? Of course not. Behind this is a coldly extreme weighing of pros and cons.

First of all, this is a surefire deal. The hacker has two options: Plan A, attempt to launder the entire $42 million. However, this huge sum is already being monitored by on-chain detectives around the world (such as PeckShield, SlowMist), and every step of the transfer will be publicly broadcast. He needs to play a cat-and-mouse game with regulators, use high-risk mixing tools, and constantly worry that something could go wrong, leading to asset freezing. Plan B, accept the amnesty and take the $5 million "legal" bounty. This money is almost risk-free, with the project party personally endorsing it, reducing both the difficulty of money laundering and the risk of being tracked to a minimum.

For a rational "economic man" pursuing maximum returns, is it better to run wildly through a hail of bullets with a truckload of gold, or to calmly take home a box of diamonds and sleep? The answer is self-evident.

Secondly, and most importantly, is the "Sword of Damocles" hanging over his head - the "backdoor" of centralized stablecoins. Why did the hacker rush to exchange USDC for DAI once he succeeded? Because he knows that stablecoin issuers like Circle (USDC) and Tether (USDT) are essentially centralized companies. They have the ability and have repeatedly frozen assets on any address at the request of law enforcement. This means that the tens of millions of USDC in his address could turn into a worthless string of numbers at any moment. This "centralized Achilles' heel" existing in "decentralized finance" is the strongest trump card that forced him back to the negotiating table.

Finally, we have seen the evolution of the hacker role: from a destroyer to a "professional bounty hunter." Early hackers may have had a touch of idealism or show-off, such as the attacker of Poly Network who left a long message, claiming to do it "for fun." But today's top hackers are becoming more pragmatic. Their logic is more like: discover a high-value vulnerability → demonstrate its worth through a "shock education" style attack → force the project party to pay a "super bounty" far exceeding the regular Bug Bounty. Rather than calling them hackers, it is more accurate to say they are "vulnerability hunters" operating in a gray area, and GMX this time, unfortunately, became their prey.

Conclusion: The Fragile New Equilibrium of the Wild West

The GMX incident came to a peculiar conclusion: most users' assets were retrieved, the project maintained its reputation, while the hacker vanished into the vast ocean of addresses with a large sum of money.

This incident perfectly illustrates a kind of "fragile equilibrium" in the current DeFi world. On one hand, the transparency of blockchain leaves no hiding place for malicious actions; on the other hand, the reliance of DeFi on centralized institutions provides a handle for countermeasures. The interplay of these two factors has given rise to this new paradigm of "attack-negotiation-bounty."

As an anonymous white-hat hacker negotiation expert said, while offering hackers a 10% bounty may sound like encouraging crime, "when you are faced with ordinary users who have their lives and fortunes at stake, they don't care about any damn principles, they just want their money back."

The road to security in DeFi is fraught with challenges and long. Before absolutely secure code is born, this digital wild west will continue to showcase a series of spectacular confrontations interwoven with code, money, and human nature. The story of GMX is just one exciting chapter in this never-ending game of cat and mouse.